Arch Linux User Repository

Thank you a821. You have been very helpful and this has been a great exercise gives me a bit of confidence with the AUR workflow. Yep the idea was to use one package as a learning platform and then replicate these fixes across all the past ones. Once again, thank you very much. I hope it wasn't very annoying :)

The PKGBUILD looks much better now, though there are some issues.

more important:

• please use quotes around $pkgdir and $scrdir, otherwise it will break if the path contains spaces. for example use: cd "$srcdir/$pypkgname-$pkgver/pip/".
• don't skip the MD5 checksums. Usually they are skipped when you have VCS sources, but this is not the case (for example: sources=(git+https://github.com/...)). You can the updpkgsums to update the checksums automatically.

less important:

• custom variables must be prefixed with an underscore. In your case pypkgname should be _pypkgname. The reason it they could conflict with internal makepkg variables.
• You can use $pkgver in sources to simplify updates ("https://github.com/siphr/urw/archive/refs/tags/$pkgver.tar.gz")
• You forgot the LICENSE. You can use the last command I wrote in the previous comment (you need to cd to the right path though).

Regardless, you addressed the major concerns so I will cancel the deletion request.

Please don't forget to fix your other packages, I will check again in a couple of days :-)

Thanks for your help and patience @a821. I have made the following changes now:

pip or sudo pipreferences were removed. Source has been tagged and released. Consequently md5sum has been added.

AUR and GIT have been updated accordingly. Once you ok this ill fix the rest of the packages. Thanks very much.

Using sudo is dangerous not only because there could be malicious code, but an unintended bug can create havoc... If I see sudo I would imagine it is malicious. (We could argue that in this particular case it's non-malicious, but it's not the point; the point is not to use sudo, period).

Unfortunately it is not possible to disable the package, though you could contact a TU via IRC so it can be deleted more quickly and you resubmit it again fixed.

Regarding the package name, you can call it whatever you want; python-urw was just a suggestion. If you want to call it rwu, it's fine.

The script rwu can be created in build() as you do, the issue here is (sudo) pip install which is wrong. Though don't use date as this would result in a non-reproducible package. See https://wiki.archlinux.org/title/Reproducible_builds

For the script I think a simply use something similar as the echo command, so it would look something like this (the permissions are taken care by install(1))

build() {
    cd urw-$pkgver
    python setup.py build
    echo -e '#!/bin/sh\n\nexec python -m urw.urw "$@"' > rwu
}

package() {
    cd urw-$pkgver
    python setup.py install --root="$pkgdir" --optimize=1 --skip-build
    install -Dm755 rwu "$pkgdir/usr/bin/rwu"
    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
}

Thanks a821, I did do the sudo change last night as a temporary change because I was meaning to NOT install in the home directory as directed, but I thought about it overnight, and realised it was a bad change, not sure if it "dangerous" but its surely broken because the sudo-ness will only work if the user is a sudoer, otherwise I believe the package install would just fail.

So I was going to look at today to see if there is a way to temporarily disable the package or something of that sort while I fix it. I tried look for a way to delete the package myself yesterday as well while I make the changes but the only option I found was to disown it.

I do believe, the python-rwu name would imply that it's installed as a python package where as I want it to be an independent command be it a light shell over the python package.

The other packages I want to fix as well ofcourse, but I want to just learn the correct way to do it with this package first, and then iI'll go replicating the fix for all other packages.

The thing that I do not understand with your shared pkgbuild is that, THAT build is just going to install the python package and not the rwu as bash script command as it is currently structured.

I guess I need to find an example of how code implemented as a package in python/pip is exposed as an aur package. Just thinking out loud here.

You just made the package worst and actually quite dangerous. You should never use sudo in a PKGBUILD. No exceptions.

There's a lot going wrong here:

• pkgname: Not sure why you decided to use rwu but OK. I see that urw is taken, but I would've chosen python-urw as it is available. If you do decide to change the name, you need to create and submit another PKGBUILD and let this package be removed.
• pkgver: this should be 0.0.6 as I see in pypi page.
• pkgrel: this is set to 1 usually and incremented if the PGKBUILD changes. See https://wiki.archlinux.org/title/PKGBUILD#pkgrel
• arch: If there are no C extensions then it should any in most cases.
• source: You have no tags in the git repo, so please use pypi to download the sources, for example, https://files.pythonhosted.org/packages/source/${_name::1}/$_name/$_name-$pkgver.tar.gz where _name=urw (you can actually copy&paste). If you use git tags, then it should point to a tag, like https://github.com/user/repo/archive/refs/tags/$pkgdir.tar.gz
• build(): Completely wrong. This usually follows the same pattern which you can almost copy and paste from here: https://wiki.archlinux.org/title/Python_package_guidelines#setuptools_or_distutils
• package(): same as above, but add the license at the end, see here: https://wiki.archlinux.org/title/PKGBUILD#license
• checksums: Though not necessary, use sha256sums or better instead of md5sums